Bugtraq mailing list archives
Re: Vulnerability in multiple "now playing" scripts for various IRC clients
From: Wouter Coekaerts <wouter () coekaerts be>
Date: Thu, 16 Aug 2007 20:57:16 +0200
On Wednesday 15 August 2007 18:27, v9 () fakehalo us wrote:
I may be rusty with knowledge about mirc (say almost 10 years out of date)...but, in what situation would the pipe ('|') ever be processed from a variable, even if it was read from a mp3 ID3?
It gets processed before it ends up in an mirc variable. The plugin to link your media player to mirc sends something like: "/set %songname <insert song name here>" And it's when executing that command that it goes wrong already, not in the command that's using the variable. That's why it's easier to exploit: the user only needs to play the song, he doesn't need to do anything in mirc. In my old notes, I found that at least these plugins have this problem: * Nullsoft mIRC Control Plug-in v0.6 (gen_mirc.dll) and other versions * mIRC Control EX Plug-In V 2.00 (gen_ircex.dll) and other versions * mIRCPlug v1.0,1.2 (gen_mircplug.dll) Those are all old plugins. I don't know if they're still used a lot, or what the currently popular plugins for this are, and if they're vulnerable or not. On Wednesday 15 August 2007 19:34, Michael Tharp wrote:
This is probably a bigger concern for *nix scripts, especially of the homebrew variety
I haven't found any public script for a *nix client that allows arbitrary command execution like this (they only allow sending IRC commands to the server). Wouter.
Current thread:
- Vulnerability in multiple "now playing" scripts for various IRC clients Wouter Coekaerts (Aug 13)
- <Possible follow-ups>
- Re: Vulnerability in multiple "now playing" scripts for various IRC clients v9 (Aug 15)
- Re: Vulnerability in multiple "now playing" scripts for various IRC clients Michael Tharp (Aug 15)
- Re: Vulnerability in multiple "now playing" scripts for various IRC clients Wouter Coekaerts (Aug 16)